850072b510695bd8649daad557e371b869054361e888d1aa4ffa51cf8e8c7c87

General

Target

bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe
Size

37KB
MD5

bb9d4ebcc754a7e6cb7536b735d85fdf
SHA1

62a93b979c2634af2b39520df73249747bbed84c
SHA256

850072b510695bd8649daad557e371b869054361e888d1aa4ffa51cf8e8c7c87
SHA512

e727a8e987da902339c6ceef93e163fedaa8a0a03c5e0784ac919653f0428f8723ebab7d232cef80bd1337956254c4333fba500ee85fdfdc2a80884822e48363
SSDEEP

384:gUG23hUidkGXR21cGMy8Pqq53tGFlymZErAF+rMRTyN/0L+EcoinblneHQM3epzs:JG23ZLGv8Pqq58im+rM+rMRa8NuFgt

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1076 netsh.exe

pid	process
1076	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

server5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18df5afc301de09badbb5fa494c2daf3.exe	server5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18df5afc301de09badbb5fa494c2daf3.exe	server5.exe

Executes dropped EXE 1 IoCs

Processes:

server5.exe

pid process

3428 server5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3428	server5.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server5.exe

description	pid	process
Token: SeDebugPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe
Token: 33	3428	server5.exe
Token: SeIncBasePriorityPrivilege	3428	server5.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exeserver5.exe

description	pid	process	target process
PID 1904 wrote to memory of 3428	1904	bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe	server5.exe
PID 1904 wrote to memory of 3428	1904	bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe	server5.exe
PID 1904 wrote to memory of 3428	1904	bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe	server5.exe
PID 3428 wrote to memory of 1076	3428	server5.exe	netsh.exe
PID 3428 wrote to memory of 1076	3428	server5.exe	netsh.exe
PID 3428 wrote to memory of 1076	3428	server5.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb9d4ebcc754a7e6cb7536b735d85fdf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\server5.exe
"C:\Users\Admin\AppData\Local\Temp\server5.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server5.exe" "server5.exe" ENABLE
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server5.exe
Filesize
37KB

MD5
bb9d4ebcc754a7e6cb7536b735d85fdf

SHA1
62a93b979c2634af2b39520df73249747bbed84c

SHA256
850072b510695bd8649daad557e371b869054361e888d1aa4ffa51cf8e8c7c87

SHA512
e727a8e987da902339c6ceef93e163fedaa8a0a03c5e0784ac919653f0428f8723ebab7d232cef80bd1337956254c4333fba500ee85fdfdc2a80884822e48363

Download Submit
memory/1904-0-0x0000000074A32000-0x0000000074A33000-memory.dmp

Filesize
4KB

Download
memory/1904-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-2-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1904-12-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3428-13-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3428-15-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads